dbcfdd68ea
update to 3.3.11 OBS-URL: https://build.opensuse.org/request/show/212267 OBS-URL: https://build.opensuse.org/package/show/server:proxy/squid?expand=0&rev=47
449 lines
17 KiB
HTML
449 lines
17 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.69">
|
|
<TITLE>Squid 3.3.11 release notes</TITLE>
|
|
</HEAD>
|
|
<BODY>
|
|
<H1>Squid 3.3.11 release notes</H1>
|
|
|
|
<H2>Squid Developers</H2>
|
|
<HR>
|
|
<EM>This document contains the release notes for version 3.3 of Squid.
|
|
Squid is a WWW Cache application developed by the National Laboratory
|
|
for Applied Network Research and members of the Web Caching community.</EM>
|
|
<HR>
|
|
<P>
|
|
<H2><A NAME="toc1">1.</A> <A HREF="#s1">Notice</A></H2>
|
|
|
|
<UL>
|
|
<LI><A NAME="toc1.1">1.1</A> <A HREF="#ss1.1">Known issues</A>
|
|
<LI><A NAME="toc1.2">1.2</A> <A HREF="#ss1.2">Changes since earlier releases of Squid-3.3</A>
|
|
</UL>
|
|
<P>
|
|
<H2><A NAME="toc2">2.</A> <A HREF="#s2">Major new features since Squid-3.2</A></H2>
|
|
|
|
<UL>
|
|
<LI><A NAME="toc2.1">2.1</A> <A HREF="#ss2.1">SQL Database logging helper</A>
|
|
<LI><A NAME="toc2.2">2.2</A> <A HREF="#ss2.2">Time-Quota session helper</A>
|
|
<LI><A NAME="toc2.3">2.3</A> <A HREF="#ss2.3">SSL-Bump Server First</A>
|
|
<LI><A NAME="toc2.4">2.4</A> <A HREF="#ss2.4">Server Certificate Mimic</A>
|
|
<LI><A NAME="toc2.5">2.5</A> <A HREF="#ss2.5">Custom HTTP request headers</A>
|
|
</UL>
|
|
<P>
|
|
<H2><A NAME="toc3">3.</A> <A HREF="#s3">Changes to squid.conf since Squid-3.2</A></H2>
|
|
|
|
<UL>
|
|
<LI><A NAME="toc3.1">3.1</A> <A HREF="#ss3.1">New tags</A>
|
|
<LI><A NAME="toc3.2">3.2</A> <A HREF="#ss3.2">Changes to existing tags</A>
|
|
<LI><A NAME="toc3.3">3.3</A> <A HREF="#ss3.3">Removed tags</A>
|
|
</UL>
|
|
<P>
|
|
<H2><A NAME="toc4">4.</A> <A HREF="#s4">Changes to ./configure options since Squid-3.2</A></H2>
|
|
|
|
<UL>
|
|
<LI><A NAME="toc4.1">4.1</A> <A HREF="#ss4.1">New options</A>
|
|
<LI><A NAME="toc4.2">4.2</A> <A HREF="#ss4.2">Changes to existing options</A>
|
|
<LI><A NAME="toc4.3">4.3</A> <A HREF="#ss4.3">Removed options</A>
|
|
</UL>
|
|
<P>
|
|
<H2><A NAME="toc5">5.</A> <A HREF="#s5">Regressions since Squid-2.7</A></H2>
|
|
|
|
<UL>
|
|
<LI><A NAME="toc5.1">5.1</A> <A HREF="#ss5.1">Missing squid.conf options available in Squid-2.7</A>
|
|
</UL>
|
|
|
|
<HR>
|
|
<H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>
|
|
|
|
<P>The Squid Team are pleased to announce the release of Squid-3.3.11.</P>
|
|
<P>This new release is available for download from
|
|
<A HREF="http://www.squid-cache.org/Versions/v3/3.3/">http://www.squid-cache.org/Versions/v3/3.3/</A> or the
|
|
<A HREF="http://www.squid-cache.org/Mirrors/http-mirrors.html">mirrors</A>.</P>
|
|
|
|
<P>A large number of the design flaws in SSL-Bump feature have been fixed along with general improvements all around.
|
|
While this release is not fully bug-free we believe it is ready for use in production on many systems.</P>
|
|
|
|
<P>We welcome feedback and bug reports. If you find a bug, please see
|
|
<A HREF="http://wiki.squid-cache.org/SquidFaq/BugReporting">http://wiki.squid-cache.org/SquidFaq/BugReporting</A>
|
|
for how to submit a report with a stack trace.</P>
|
|
|
|
<H2><A NAME="ss1.1">1.1</A> <A HREF="#toc1.1">Known issues</A>
|
|
</H2>
|
|
|
|
<P>Although this release is deemed good enough for use in many setups, please note the existence of
|
|
<A HREF="http://bugs.squid-cache.org/buglist.cgi?query_format=advanced&product=Squid&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&version=3.3">open bugs against Squid-3.3</A>.</P>
|
|
|
|
|
|
<H2><A NAME="ss1.2">1.2</A> <A HREF="#toc1.2">Changes since earlier releases of Squid-3.3</A>
|
|
</H2>
|
|
|
|
<P>The 3.3 change history can be
|
|
<A HREF="http://www.squid-cache.org/Versions/v3/3.3/changesets/">viewed here</A>.</P>
|
|
|
|
<H2><A NAME="s2">2.</A> <A HREF="#toc2">Major new features since Squid-3.2</A></H2>
|
|
|
|
<P>Squid 3.3 represents a new feature release above 3.2.</P>
|
|
|
|
<P>The most important of these new features are:
|
|
<UL>
|
|
<LI>SQL Database logging helper</LI>
|
|
<LI>Time-Quota session helper</LI>
|
|
<LI>SSL-Bump Server First</LI>
|
|
<LI>Server Certificate Mimic</LI>
|
|
<LI>Custom HTTP request headers</LI>
|
|
</UL>
|
|
</P>
|
|
<P>Most user-facing changes are reflected in squid.conf (see below).</P>
|
|
|
|
<H2><A NAME="ss2.1">2.1</A> <A HREF="#toc2.1">SQL Database logging helper</A>
|
|
</H2>
|
|
|
|
<P><EM>log_db_daemon</EM> - Database logging daemon for Squid</P>
|
|
|
|
<P>This program writes Squid access.log entries to an SQL database.
|
|
Written in Perl it can utilize any database supported by the Perl
|
|
database abstraction layer.</P>
|
|
|
|
<P>NOTE: Presently it only accepts the Squid native log format.</P>
|
|
|
|
|
|
<H2><A NAME="ss2.2">2.2</A> <A HREF="#toc2.2">Time-Quota session helper</A>
|
|
</H2>
|
|
|
|
<P><EM>ext_time_quota_acl</EM> - Time quota external ACL helper.</P>
|
|
|
|
<P>Allows an administrator to define time budgets (quota) for the
|
|
users of Squid to limit the time using Squid.</P>
|
|
|
|
<P>This is useful for corporate lunch time allocations, wifi portal
|
|
pay-per-minute installations or for parental control of children.</P>
|
|
|
|
<P>The administrator can define a time budget (e.g. 1 hour per day)
|
|
which is enforced through this helper using session estimations
|
|
of their browsing time. A 'pause' threshold is given in seconds
|
|
and defines the period between two requests to be treated as part
|
|
of the same session. Pauses shorter than this value will be
|
|
counted against the quota, longer ones ignored.</P>
|
|
|
|
|
|
<H2><A NAME="ss2.3">2.3</A> <A HREF="#toc2.3">SSL-Bump Server First</A>
|
|
</H2>
|
|
|
|
<P>Details at
|
|
<A HREF="http://wiki.squid-cache.org/Features/BumpSslServerFirst">http://wiki.squid-cache.org/Features/BumpSslServerFirst</A>.</P>
|
|
|
|
<P>When an intercepted connection is received, Squid first connects
|
|
to the server using SSL and receives the server certificate.
|
|
Squid then uses the host name inside the true server certificate
|
|
to generate a fake one and impersonates the server while still
|
|
using the already established secure connection to the server.</P>
|
|
|
|
<P>Bumping server first is essentially required for handling
|
|
intercepted HTTPS connections but the same scheme should be used
|
|
for most HTTP CONNECT requests because it offers a few advantages
|
|
compared to the old bump-client-first approach:</P>
|
|
<P>
|
|
<UL>
|
|
<LI>When Squid knows valid server certificate details, it can
|
|
generate its fake server certificate with those details.
|
|
With the bump-client-first scheme, all those details are lost.
|
|
In general, browsers do not care about those details but there
|
|
may be HTTP clients (or even human users) that require or could
|
|
benefit from knowing them.
|
|
</LI>
|
|
<LI>When a server sends a bad certificate, Squid may be able to
|
|
replicate that brokenness in its own fake certificate, giving
|
|
the HTTP client control whether to ignore the problem or
|
|
terminate the transaction. With bump-client-furst, it is
|
|
difficult to support similar dynamic, user-directed opt out;
|
|
Squid itself has to decide what to do when the server
|
|
certificate cannot be validated.
|
|
</LI>
|
|
<LI>When a server asks for a client certificate, Squid may be
|
|
able to ask the client and then forward the client certificate
|
|
to the server. Such client certificate handling may not be
|
|
possible with the bump-client-first scheme because it would
|
|
have to be done after the SSL handshake.
|
|
</LI>
|
|
<LI>Some clients (e.g., Rekonq browser v0.7.x) do not send host
|
|
names in CONNECT requests. Such clients require bump-server-first
|
|
even in forward proxying mode. Unfortunately, there are other
|
|
problems with fully supporting such clients (i.e., Squid does
|
|
not know whether the IP address in the CONNECT request is what
|
|
the user have typed into the address bar) so not all features
|
|
will work well for them until more specialized detection code
|
|
is added.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<H2><A NAME="ss2.4">2.4</A> <A HREF="#toc2.4">Server Certificate Mimic</A>
|
|
</H2>
|
|
|
|
<P>Details at
|
|
<A HREF="http://wiki.squid-cache.org/Features/MimicSslServerCert">http://wiki.squid-cache.org/Features/MimicSslServerCert</A>.</P>
|
|
|
|
<P>One of the SslBump features serious drawbacks is the loss of
|
|
information embedded in SSL server certificate.
|
|
This certificate mimic feature passes original SSL server
|
|
certificate information to the user. Allowing the user to
|
|
make an informed decision on whether to trust the server
|
|
certificate.</P>
|
|
|
|
|
|
<H2><A NAME="ss2.5">2.5</A> <A HREF="#toc2.5">Custom HTTP request headers</A>
|
|
</H2>
|
|
|
|
<P>The <EM>request_header_add</EM> option is added to insert
|
|
HTTP header fields to outgoing HTTP requests (i.e.,
|
|
request headers sent by Squid to the next HTTP hop such as a
|
|
cache peer or an origin server). The option has no effect on
|
|
cache hit traffic or requests serviced by Squid and ICAP.</P>
|
|
|
|
<P>WARNING: If a standard HTTP header name is used, Squid does not check whether
|
|
the new header conflicts with any existing headers or violates
|
|
HTTP rules. If the request to be modified already contains a
|
|
field with the same name, the old field is preserved but the
|
|
header field values are not merged.</P>
|
|
|
|
<P>Field-value set can be either a token or a quoted string. If quoted
|
|
string format is used, then the surrounding quotes are removed
|
|
while escape sequences and %macros are processed.</P>
|
|
|
|
<P>In theory, all of the <EM>logformat</EM> codes can be used as %macros.
|
|
However, unlike logging (which happens at the very end of
|
|
transaction lifetime), the transaction may not yet have enough
|
|
information to expand a macro when the new header value is needed.
|
|
And some information may already be available to Squid but not yet
|
|
committed where the macro expansion code can access it (please report
|
|
such instances!). The macro will be expanded into a single dash
|
|
('-') in such cases. Not all macros have been tested.</P>
|
|
|
|
<P>One or more Squid ACLs may be specified to restrict header
|
|
injection to matching requests. As always in squid.conf, all
|
|
ACLs in an option ACL list must be satisfied for the insertion
|
|
to happen. The <EM>request_header_add</EM> option supports fast ACLs only.</P>
|
|
|
|
|
|
<H2><A NAME="s3">3.</A> <A HREF="#toc3">Changes to squid.conf since Squid-3.2</A></H2>
|
|
|
|
<P>There have been changes to Squid's configuration file since Squid-3.2.</P>
|
|
<P>This section gives a thorough account of those changes in three categories:</P>
|
|
<P>
|
|
<UL>
|
|
<LI>
|
|
<A HREF="#newtags">New tags</A></LI>
|
|
<LI>
|
|
<A HREF="#modifiedtags">Changes to existing tags</A></LI>
|
|
<LI>
|
|
<A HREF="#removedtags">Removed tags</A></LI>
|
|
</UL>
|
|
</P>
|
|
|
|
|
|
<H2><A NAME="newtags"></A> <A NAME="ss3.1">3.1</A> <A HREF="#toc3.1">New tags</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<DL>
|
|
<DT><B>cache_miss_revalidate</B><DD>
|
|
<P>Whether Squid is to pass-through If-Modified-Since and If-None-Match headers on cache MISS.
|
|
Revalidation requests can prevent cache gathering objects to HIT on.</P>
|
|
<P>Based on the Squid-2.7 <EM>ignore_ims_on_miss</EM> feature.</P>
|
|
<P><EM>IMPORTANT:</EM> the meaning for on/off values has changed along with the name since 2.7.</P>
|
|
|
|
<DT><B>request_header_add</B><DD>
|
|
<P>New directive to add custom headers on HTTP traffic sent to upstream servers.</P>
|
|
|
|
<DT><B>sslproxy_cert_sign</B><DD>
|
|
<P>New option to determine how the client certificate sent to upstream servers is signed.</P>
|
|
|
|
<DT><B>sslproxy_cert_adapt</B><DD>
|
|
<P>New option to adapt certain properties of outgoing SSL certificates generated for use when bumping SSL to an upstream server.</P>
|
|
|
|
</DL>
|
|
</P>
|
|
|
|
<H2><A NAME="modifiedtags"></A> <A NAME="ss3.2">3.2</A> <A HREF="#toc3.2">Changes to existing tags</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<DL>
|
|
<DT><B>acl</B><DD>
|
|
<P><EM>myport</EM> and <EM>myip</EM>ACL types replaced with <EM>localport</EM> and <EM>localip</EM> respectively.
|
|
To reflect that it matches the TCP connection details and not the squid.conf port.
|
|
This matters when dealing with intercepted traffic, where the Squid receiving port differs from the TCP connection IP:port.
|
|
Always use <EM>myportname</EM> type to match the squid.conf port details.</P>
|
|
<P>New default built-in ACLs for testing SSL certificate properties.</P>
|
|
<P><EM>ssl::certHasExpired</EM>,
|
|
<EM>ssl::certNotYetValid</EM>,
|
|
<EM>ssl::certDomainMismatch</EM>,
|
|
<EM>ssl::certUntrusted</EM>,
|
|
<EM>ssl::certSelfSigned</EM>.</P>
|
|
|
|
<DT><B>external_acl_type</B><DD>
|
|
<P><EM>%ACL</EM> format tag ported from 2.6.
|
|
Sends the name of ACL being tested to the external helper.</P>
|
|
<P><EM>%DATA</EM> format tag ported from 2.6.
|
|
Inserts the ACL arguments into a particular location of the helper input instead of at the end of the line.</P>
|
|
|
|
<DT><B>logformat</B><DD>
|
|
<P>New token <EM>%ssl::bump_mode</EM> to log the SSL-bump mode type performed on a request.
|
|
Logs values of: <EM>-</EM>, <EM>none</EM>, <EM>client-first</EM>, or <EM>server-first</EM>.</P>
|
|
<P>New token of <EM>%ssl::>cert_subject</EM> to log the Subject field of a SSL certificate received from the client.</P>
|
|
<P>New token of <EM>%ssl::>cert_issuer</EM> to log the Issuer field of a SSL certificate received from the client.</P>
|
|
|
|
<DT><B>ssl_bump</B><DD>
|
|
<P>New action types <EM>none</EM>, <EM>client-first</EM>, <EM>server-first</EM>. The default is <EM>none</EM>.</P>
|
|
<P>Use of <EM>allow</EM>/<EM>deny</EM> is now deprecated and they should be removed as soon as possible.
|
|
To retain the exact same behaviour between 3.3 and older releases replace <EM>deny</EM> with <EM>none</EM>,
|
|
and <EM>allow</EM> with <EM>client-first</EM>. However an upgrade to <EM>server-first</EM> is the recommended.</P>
|
|
<P><EM>NOTE</EM>: Mixing of allow/deny with the new action types is prohibited and will cause Squid to exit with a FATAL error.</P>
|
|
|
|
</DL>
|
|
</P>
|
|
|
|
<H2><A NAME="removedtags"></A> <A NAME="ss3.3">3.3</A> <A HREF="#toc3.3">Removed tags</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<DL>
|
|
<DT><B>ignore_ims_on_miss</B><DD>
|
|
<P>This option has been replaced by the <EM>cache_miss_revalidate</EM> feature.</P>
|
|
|
|
</DL>
|
|
</P>
|
|
|
|
|
|
<H2><A NAME="s4">4.</A> <A HREF="#toc4">Changes to ./configure options since Squid-3.2</A></H2>
|
|
|
|
<P>There have been some changes to Squid's build configuration since Squid-3.2.</P>
|
|
<P>This section gives an account of those changes in three categories:</P>
|
|
<P>
|
|
<UL>
|
|
<LI>
|
|
<A HREF="#newoptions">New options</A></LI>
|
|
<LI>
|
|
<A HREF="#modifiedoptions">Changes to existing options</A></LI>
|
|
<LI>
|
|
<A HREF="#removedoptions">Removed options</A></LI>
|
|
</UL>
|
|
</P>
|
|
|
|
|
|
<H2><A NAME="newoptions"></A> <A NAME="ss4.1">4.1</A> <A HREF="#toc4.1">New options</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<DL>
|
|
<P><EM>There are no new ./configure options in Squid-3.3.</EM></P>
|
|
|
|
</DL>
|
|
</P>
|
|
|
|
<H2><A NAME="modifiedoptions"></A> <A NAME="ss4.2">4.2</A> <A HREF="#toc4.2">Changes to existing options</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<DL>
|
|
<DT><B>--enable-kqueue</B><DD>
|
|
<P>kqueue network I/O module is now built by default when it is available.
|
|
This option is no longer required to enable kqueue support,
|
|
but if used will abort build when kqueue dependencies are missing or broken.</P>
|
|
|
|
<DT><B>--disable-kqueue</B><DD>
|
|
<P>kqueue network I/O module is now built by default when it is available.
|
|
This configure option is now needed to disable it. Previously it did nothing.</P>
|
|
|
|
</DL>
|
|
</P>
|
|
<H2><A NAME="removedoptions"></A> <A NAME="ss4.3">4.3</A> <A HREF="#toc4.3">Removed options</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<DL>
|
|
<DT><B>--enable-ntlm-fail-open</B><DD>
|
|
<P>This has not been supported by Squid for several versions.</P>
|
|
|
|
</DL>
|
|
</P>
|
|
|
|
|
|
<H2><A NAME="s5">5.</A> <A HREF="#toc5">Regressions since Squid-2.7</A></H2>
|
|
|
|
<P>Some squid.conf and ./configure options which were available in Squid-2.7 are not yet available in Squid-3.3</P>
|
|
|
|
<P>If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.</P>
|
|
|
|
<H2><A NAME="ss5.1">5.1</A> <A HREF="#toc5.1">Missing squid.conf options available in Squid-2.7</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<DL>
|
|
<DT><B>broken_vary_encoding</B><DD>
|
|
<P>Not yet ported from 2.6</P>
|
|
|
|
<DT><B>cache_dir</B><DD>
|
|
<P><EM>COSS</EM> storage type is lacking stability fixes from 2.6</P>
|
|
<P>COSS <EM>overwrite-percent=</EM> option not yet ported from 2.6</P>
|
|
<P>COSS <EM>max-stripe-waste=</EM> option not yet ported from 2.6</P>
|
|
<P>COSS <EM>membufs=</EM> option not yet ported from 2.6</P>
|
|
<P>COSS <EM>maxfullbufs=</EM> option not yet ported from 2.6</P>
|
|
|
|
<DT><B>cache_peer</B><DD>
|
|
<P><EM>idle=</EM> not yet ported from 2.7</P>
|
|
<P><EM>monitorinterval=</EM> not yet ported from 2.6</P>
|
|
<P><EM>monitorsize=</EM> not yet ported from 2.6</P>
|
|
<P><EM>monitortimeout=</EM> not yet ported from 2.6</P>
|
|
<P><EM>monitorurl=</EM> not yet ported from 2.6</P>
|
|
|
|
<DT><B>cache_vary</B><DD>
|
|
<P>Not yet ported from 2.6</P>
|
|
|
|
<DT><B>collapsed_forwarding</B><DD>
|
|
<P>Not yet ported from 2.6</P>
|
|
|
|
<DT><B>error_map</B><DD>
|
|
<P>Not yet ported from 2.6</P>
|
|
|
|
<DT><B>external_refresh_check</B><DD>
|
|
<P>Not yet ported from 2.7</P>
|
|
|
|
<DT><B>location_rewrite_access</B><DD>
|
|
<P>Not yet ported from 2.6</P>
|
|
|
|
<DT><B>location_rewrite_children</B><DD>
|
|
<P>Not yet ported from 2.6</P>
|
|
|
|
<DT><B>location_rewrite_concurrency</B><DD>
|
|
<P>Not yet ported from 2.6</P>
|
|
|
|
<DT><B>location_rewrite_program</B><DD>
|
|
<P>Not yet ported from 2.6</P>
|
|
|
|
<DT><B>refresh_pattern</B><DD>
|
|
<P><EM>stale-while-revalidate=</EM> not yet ported from 2.7</P>
|
|
<P><EM>ignore-stale-while-revalidate=</EM> not yet ported from 2.7</P>
|
|
<P><EM>negative-ttl=</EM> not yet ported from 2.7</P>
|
|
|
|
<DT><B>refresh_stale_hit</B><DD>
|
|
<P>Not yet ported from 2.7</P>
|
|
|
|
<DT><B>storeurl_access</B><DD>
|
|
<P>Not yet ported from 2.7</P>
|
|
|
|
<DT><B>storeurl_rewrite_children</B><DD>
|
|
<P>Not yet ported from 2.7</P>
|
|
|
|
<DT><B>storeurl_rewrite_concurrency</B><DD>
|
|
<P>Not yet ported from 2.7</P>
|
|
|
|
<DT><B>storeurl_rewrite_program</B><DD>
|
|
<P>Not yet ported from 2.7</P>
|
|
|
|
</DL>
|
|
</P>
|
|
|
|
</BODY>
|
|
</HTML>
|